pgcrypto
LightDB-A Database is installed with an optional module of encryption/decryption functions called pgcrypto
. The pgcrypto
functions allow database administrators to store certain columns of data in encrypted form. This adds an extra layer of protection for sensitive data, as data stored in LightDB-A Database in encrypted form cannot be read by anyone who does not have the encryption key, nor can it be read directly from the disks.
Note The
pgcrypto
functions run inside the database server, which means that all the data and passwords move betweenpgcrypto
and the client application in clear-text. For optimal security, consider also using SSL connections between the client and the LightDB-A coordinator server.
Installing and Registering the Module
The pgcrypto
module is installed when you install LightDB-A Database. Before you can use any of the functions defined in the module, you must register the pgcrypto
extension in each database in which you want to use the functions. Refer to Installing Additional Supplied Modules for more information.
Configuring FIPS Encryption
Starting with LightDB-A 6.22, the pgcrypto
extension provides a module-specific configuration parameter, pgcrypto.fips
. This parameter configures LightDB-A Database support for a limited set of FIPS encryption functionality (Federal Information Processing Standard (FIPS) 140-2). For information about FIPS, see https://www.nist.gov/itl/popular-links/federal-information-processing-standards-fips. The default setting is off
, FIPS encryption is not enabled.
Before enabling this parameter, ensure that FIPS is enabled on all LightDB-A Database system hosts.
When this parameter is enabled, these changes occur:
- FIPS mode is initialized in the OpenSSL library
- The functions
digest()
andhmac()
allow only the SHA encryption algorithm (MD5 is not allowed) - The functions for the crypt and gen_salt algorithms are disabled
- PGP encryption and decryption functions support only AES and 3DES encryption algorithms (other algorithms such as blowfish are not allowed)
- RAW encryption and decryption functions support only AES and 3DES (other algorithms such as blowfish are not allowed)
To enable pgcrypto.fips
Enable the
pgcrypto
functions as an extension if it is not enabled. See Installing Additional Supplied Modules. This examplepsql
command creates thepgcrypto
extension in the databasetestdb
.psql -d testdb -c 'CREATE EXTENSION pgcrypto'
Configure the LightDB-A Database server configuration parameter
shared_preload_libraries
to load thepgcrypto
library. This example uses thegpconfig
utility to update the parameter in the LightDB-A Databasepostgresql.conf
files.gpconfig -c shared_preload_libraries -v '\$libdir/pgcrypto'
This command displays the value of
shared_preload_libraries
.gpconfig -s shared_preload_libraries
Restart the LightDB-A Database system.
gpstop -ra
Set the
pgcrypto.fips
server configuration parameter toon
for each database that uses FIPS encryption. For example, these commands set the parameter toon
for the databasetestdb
.psql -d postgres
ALTER DATABASE testdb SET pgcrypto.fips TO on;
Important You must use the
ALTER DATABASE
command to set the parameter. You cannot use theSET
command that updates the parameter for a session, or use thegpconfig
utility that updatespostgresql.conf
files.After setting the parameter, reconnect to the database to enable encryption support for a session. This example uses the
psql
meta command\c
to connect to thetestdb
database.\c testdb
To disable pgcrypto.fips
If the database does not use
pgcrypto
functions, disable thepgcrypto
extension. This examplepsql
command drops thepgcrypto
extension in the databasetestdb
.psql -d testdb -c 'DROP EXTENSION pgcrypto'
Remove
\$libdir/pgcrypto
from theshared_preload_libraries
parameter, and restart LightDB-A Database. Thisgpconfig
command displays the value of the parameter from the LightDB-A Databasepostgresql.conf
files.gpconfig -s shared_preload_libraries
Use the
gpconfig
utility with the-c
and-v
options to change the value of the parameter. Use the-r
option to remove the parameter.Restart the LightDB-A Database system.
gpstop -ra
Additional Module Documentation
Refer to pgcrypto in the PostgreSQL documentation for more information about the individual functions in this module.